[SHIRO-552] JdbcRealm in SaltStyle.COLUMN assumes that password column is Base64 but salt column is utf8 bytes - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Resolved
Affects Version/s: 1.2.4
Fix Version/s: 1.5.0
Component/s: None
Labels:
None

Description

The org.apache.shiro.realm.jdbc.JdbcRealm class, when configured with SaltStyle.COLUMN, assumes that password column is Base64 but salt column is utf8 bytes.

The password is returned as a char[] (see JdbcRealm.java:241), which org.apache.shiro.authc.credential.HashedCredentialsMatcher (see HashedCredentialsMatcher.java:353):

        if (credentials instanceof String || credentials instanceof char[]) {
            //account.credentials were a char[] or String, so
            //we need to do text decoding first:
            if (isStoredCredentialsHexEncoded()) {
                storedBytes = Hex.decode(storedBytes);
            } else {
                storedBytes = Base64.decode(storedBytes);
            }
        }

However, the salt is returned as a ByteSource, by converting the DB-returned String into its UTF-8 bytes. See JdbcRealm.java:224:

            if (salt != null) {
                info.setCredentialsSalt(ByteSource.Util.bytes(salt));
            }

This is broken and inconsistent.

Not all salt byte[]s are valid UTF8 strings, so the default assumption should be that the salt column is Base64 encoded.

Attachments

Issue Links

links to

GitHub Pull Request #138

Github pull request: Support base64 encoded salt in JdbcRealm

Activity

People

Assignee:: Unassigned

Reporter:: Richard Bradley

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 17/Dec/15 15:01

Updated:: 02/Aug/19 19:08

Resolved:: 02/Aug/19 19:08

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

10m